-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Advisory ID:               SYSS-2025-041 
Product:                   d.ecs shell
Manufacturer:              d.velop AG
Affected Version(s):       < 7.30.14 (Annual 2024 Patch 12),
                           < 7.33.4 (Annual 2025 Patch 2),
                           < 7.34.1 (Current 2025.Q1 Patch 1)
Tested Version(s):         7.33
Vulnerability Type:        Cross-Site Scripting (CWE-79)
Risk Level:                Medium
Solution Status:           Fixed
Manufacturer Notification: 2025-06-03
Solution Date:             2025-07-08
Public Disclosure:         2025-08-01
Author of Advisory:        Marcel Wölke, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

d.ecs shell is a web client for accessing the d.3ecm product suite.

The manufacturer describes the product as follows (see [1]):

"The d.ecs shell component is the central framework for displaying d.velop 
apps".

This advisory is a follow-up to a vulnerability labeled as DV-SEC-2025-03 
by the manufacturer. The original vulnerability dealt with the insecure 
usage of user-provided URL parameters, which resulted in DOM-based cross-site 
scripting (XSS) injection.

The initial patch provided by the manufacturer does not close the vulnerability
completely, allowing for arbitrary JavaScript to be executed after users click 
on a malicious URL and then interact with certain UI elements.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The application's JavaScript code writes parts of the URL parameter into the 
href attribute of an HTML anchor tag. Given a specific query, it was possible 
to escape this anchor tag, allowing to write arbitrary HTML into the document, 
including JavaScript. This vulnerability, labeled DV-SEC-2025-03, was adressed 
by the manufacturer in the product version 7.30.13.[2]

However, even with the provided fix, it is still possible to add arbitrary 
attributes to the HTML anchor tag. This can be abused by adding JavaScript 
event listeners which trigger upon certain user interactions, for example when 
the element becomes visible or when a user hovers over the HTML element.

Since the relevant HTML element is hidden by default, no attack vector was 
discovered which executes the injected JavaScript without further user 
interaction.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

1. Access the following URL while authenticated (Chrome only):

https://<DOMAIN>/shell/#/home/%22%20oncontentvisibilityautostatechange=alert(1)%20style=display:block;content-visibility:auto%20

2. Open the burger menu located in the top-right corner.

3. A JavaScript alert message should appear.


Similar payloads can be built for other browsers.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

The manufacturer fixed the vulnerability in versions 7.30.14, 7.33.4 and 
7.34.1, depending on the used update feed.
Users are encouraged to upgrade to one of these versions.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2025-05-26: Already known vulnerability DV-SEC-2025-03 independently discovered
2025-05-30: Original vulnerability reported to manufacturer
2025-06-02: Manufacturer informed SySS GmbH that the vulnerability was already
            known and a hotfix had recently been provided
2025-06:03: Workaround for the hotfix discovered and reported to manufacturer
2025-06-04: Workaround acknowledged by manufacturer
2025-07-08: Fix provided for the annual feed 2025 by the manufacturer (other 
            feeds had been fixed before)
2025-08-01: Vulnerability publicy disclosed by SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] d.velop documentation
    https://help.d-velop.de/docs/en/pub/standardports-prozesse-dienste/2021-01-15/overview-of-default-ports-processes-and-services-of-dvelop-software
[2] d.velop security advisory DV-SEC-2025-03
    https://serviceportal.d-velop.de/de/products/security-advisories/cmagkrwamx2pd07w248yoi72c
[3] SySS Security Advisory SYSS-2025-041
    https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-041.txt
[4] SySS Responsible Disclosure Policy
    https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by:

E-Mail: marcel.woelke@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Marcel_Woelke.asc
Key ID: 0xE3CB1C0CCD366083
Key Fingerprint: 27C6 3368 E540 DBD3 B052 EBB8 E3CB 1C0C CD36 6083

E-Mail: angel.lomeli@syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Angel_lomeli.asc
Key ID: 0x3511BA21C68F0D7A
Key Fingerprint: A081 85AB C051 78ED CE8A F8E2 3511 BA21 C68F 0D7A

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is" 
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 4.0
URL: https://creativecommons.org/licenses/by/4.0/deed.en
-----BEGIN PGP SIGNATURE-----

iHUEARYKAB0WIQQnxjNo5UDb07BS67jjyxwMzTZggwUCaInb7AAKCRDjyxwMzTZg
g7FqAPwJgjFRe81esqfyHcaTup85NROEl1oSQduiwFa5rSf5KgEA0VfgYtW1rbRT
qhfDzlHURA/+3GJsgFeVF6uS71OZqAg=
=nbyn
-----END PGP SIGNATURE-----